95d5563c56b99f6220f454a4d891b907adae645b98e9950304b7e06910ae4d55

General

Target

863c7056d452d337e5be491f02d65b2f.exe
Size

3.2MB
MD5

863c7056d452d337e5be491f02d65b2f
SHA1

2ca72e95276a93f0a4f4b3c3ecec85b00ac7cf88
SHA256

95d5563c56b99f6220f454a4d891b907adae645b98e9950304b7e06910ae4d55
SHA512

8b8b4efa7ba74cf585ead9cc2841a35f6cfb58199517c41eb7e6354756c8a388e9d4823c889c5f941236e61c66a84ddf25d7c16502182b802c53ed94ad742ad7
SSDEEP

98304:a5VArrYT5s2cakchS87ccakc5J1at2QucakchS87ccakcO:a5Wu5dlhS87cdl5JskTdlhS87cdlO

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2560	863c7056d452d337e5be491f02d65b2f.exe

Executes dropped EXE 1 IoCs

pid	Process
2560	863c7056d452d337e5be491f02d65b2f.exe

Loads dropped DLL 1 IoCs

pid	Process
2512	863c7056d452d337e5be491f02d65b2f.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2512-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000c000000012242-11.dat	upx
behavioral1/files/0x000c000000012242-15.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
2	pastebin.com

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2732	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	863c7056d452d337e5be491f02d65b2f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	863c7056d452d337e5be491f02d65b2f.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	863c7056d452d337e5be491f02d65b2f.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	863c7056d452d337e5be491f02d65b2f.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2512	863c7056d452d337e5be491f02d65b2f.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2512	863c7056d452d337e5be491f02d65b2f.exe
2560	863c7056d452d337e5be491f02d65b2f.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 2560	2512	863c7056d452d337e5be491f02d65b2f.exe	29
PID 2512 wrote to memory of 2560	2512	863c7056d452d337e5be491f02d65b2f.exe	29
PID 2512 wrote to memory of 2560	2512	863c7056d452d337e5be491f02d65b2f.exe	29
PID 2512 wrote to memory of 2560	2512	863c7056d452d337e5be491f02d65b2f.exe	29
PID 2560 wrote to memory of 2732	2560	863c7056d452d337e5be491f02d65b2f.exe	30
PID 2560 wrote to memory of 2732	2560	863c7056d452d337e5be491f02d65b2f.exe	30
PID 2560 wrote to memory of 2732	2560	863c7056d452d337e5be491f02d65b2f.exe	30
PID 2560 wrote to memory of 2732	2560	863c7056d452d337e5be491f02d65b2f.exe	30
PID 2560 wrote to memory of 2740	2560	863c7056d452d337e5be491f02d65b2f.exe	32
PID 2560 wrote to memory of 2740	2560	863c7056d452d337e5be491f02d65b2f.exe	32
PID 2560 wrote to memory of 2740	2560	863c7056d452d337e5be491f02d65b2f.exe	32
PID 2560 wrote to memory of 2740	2560	863c7056d452d337e5be491f02d65b2f.exe	32
PID 2740 wrote to memory of 2816	2740	cmd.exe	34
PID 2740 wrote to memory of 2816	2740	cmd.exe	34
PID 2740 wrote to memory of 2816	2740	cmd.exe	34
PID 2740 wrote to memory of 2816	2740	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\863c7056d452d337e5be491f02d65b2f.exe
"C:\Users\Admin\AppData\Local\Temp\863c7056d452d337e5be491f02d65b2f.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Users\Admin\AppData\Local\Temp\863c7056d452d337e5be491f02d65b2f.exe
  C:\Users\Admin\AppData\Local\Temp\863c7056d452d337e5be491f02d65b2f.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2560
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\863c7056d452d337e5be491f02d65b2f.exe" /TN QxutJGth3fd4 /F
    3⤵
    - Creates scheduled task(s)
    PID:2732
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN QxutJGth3fd4 > C:\Users\Admin\AppData\Local\Temp\iTs8OBfE.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN QxutJGth3fd4
      4⤵
      PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\863c7056d452d337e5be491f02d65b2f.exe

Filesize
609KB

MD5
5dba145f99b398cfcc8e3cf980fc3726

SHA1
9a67020978e26197f4d7ad7f9ba12ab70903d095

SHA256
4ce2eab363487578935734dc69e53b1b0d6722e67208b6ac362b69edd5b1c8e8

SHA512
64d64edb5bda7d0a2adef123a9e263cdbdba1ca78df7b0e9e4fa301ffef395fc9fbd5908eb30b35b58b767a9e6d058e07c6a52a854608113a333bb0f6bb04e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\iTs8OBfE.xml

Filesize
1KB

MD5
4d6d961de39401c3f836140b52e27ecc

SHA1
b44696129bd7b12f64df0ced0e267fb5bc9a6f42

SHA256
d6e2e73f97c6f586f0e4981c0464dbd6181813283fb978b34faec93fd03023a7

SHA512
a8788370c4932538d8566a44eb24d71c704f21d9798f94b9487ea2125c03be37adb02aec458bc2b0fc2ad9785673b4f377d88e8b5490e17b74fef428b4adc033

Download Submit
\Users\Admin\AppData\Local\Temp\863c7056d452d337e5be491f02d65b2f.exe

Filesize
424KB

MD5
12f55c644182a8072e3a8eb457eeab4a

SHA1
77f6963d9a516916a68093f5db129a07014df88d

SHA256
271895dc1f22dae549636773df460651449dbfeb395d03991648b78b36edc1df

SHA512
2d06b444b023244404326a599a37a1dc9b233f156bbfa04cb1fa3be231e7f3314d6ca457c6b8c74d0a1e9af8591ccfd089454eb7a235e236ce1ba1b6272d6b69

Download Submit
memory/2512-16-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2512-19-0x0000000023430000-0x000000002368C000-memory.dmp

Filesize
2.4MB

Download
memory/2512-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2512-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2512-3-0x0000000000380000-0x00000000003FE000-memory.dmp

Filesize
504KB

Download
memory/2512-53-0x0000000023430000-0x000000002368C000-memory.dmp

Filesize
2.4MB

Download
memory/2560-18-0x0000000001660000-0x00000000016DE000-memory.dmp

Filesize
504KB

Download
memory/2560-26-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2560-27-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/2560-25-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2560-54-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads